How to Stop the Bleeding, Hopefully Before it Starts
Data Privacy and Security Law Alert 04/15/14 Heather L. Buchta
Unless you have been living under a rock, you will have noticed that there has been an overflow of news reports regarding the implications of the computer bug affecting OpenSSL, affectionately named, “Heartbleed.” If your company is running a website for third-party use, then this could present major issues that need to be addressed. What exactly does your company need to know about Heartbleed, and how can your company go about protecting itself not only from potential attackers, but from allegations of insufficient data security as well?
As has been widely reported, Heartbleed is a bug in OpenSSL that has left all versions of 1.0.1 up to 1.0.1f — as well as 1.0.2-beta1 — vulnerable to attack. Due to the fact that this bug has existed for two years, it is possible an attack has already happened without a trace. According to The Verge, “[t]he new bug would let attackers pull the private keys to the server, letting attackers listen in on data traffic and potentially masquerade as the server” (http://www.theverge.com/2014/4/8/5594266/how-heartbleed-broke-the-internet). This could mean that your sensitive business data, as well as the sensitive data of your clients (such as PINS and passwords) could have been exposed and/or may still be vulnerable. CNET, one of the leading technology publishers suggests checking your website with LastPass.com (http://www.cnet.com/news/how-to-protect-yourself-from-the-heartbleed-bug/). LastPass.com has developed a tool for testing your website to see if it is potentially vulnerable to attack due to the bug; this test is available here. If you find that your company’s website is vulnerable, the next step is to upgrade to the new OpenSSL 1.0.1g, which can be found at www.OpenSSL.org.
While this may seem like a labor-intensive process, not performing the upgrade, especially given the enormous press coverage, could leave you open to legal action. Generally, according to FTC in guidance, you should have security measures that are “reasonable and appropriate” (In re HTC Am. Inc., No. 122-3049). It could be argued that failing to address such a widely known bug is not taking such reasonable and appropriate measures. As always, data privacy and data security should be at the forefront of your company’s mind at all times, and lapses in strength of security could leave you open to both cyber attacks and government legal action.
If you have questions regarding your company’s reaction to the news of Heartbleed or your company’s compliance with government mandated data privacy and security measures, please contact Maggie Utterback at (608) 283-2443 / firstname.lastname@example.org, Heather Buchta at (602) 229-5228 / email@example.com, or your Quarles & Brady attorney.